Spread the love:

Like this:

Right so BIG NEWS, because he’s so far ahead I’m giving Dark-Fiber a Lavatube and making it a bit easier for the rest of you. Competition now ends on 25-03-12. Hopefully you will like that cause he was running away with it.

Thanks to everybody that voted, couldn’t have done it without ya ;)

—————————————-

Hello visitors, I need a little something back from you guys, so if I have ever helped you out in any way, I hope you can do this 1 small thing for me in return.

It’s quite simple, I REALLY want to win this little competition on Facebook, so I’m asking you guys to help me out.

It should literally take less than 10 seconds of your precious time, if you would be so kind.

All you need to do is click the “Like” button on the following Facebook page, and then write a comment on the wall saying “Dark-Fiber sent me“

C4E’s iXtreme LT+ in association with Team Jungle & Team Xecuter
—————————————————————-

Official release of the iXtreme LT+ v3.0 for 0272/0225/0401/1071 slim Liteons

– Support for topology data on AP25 enabled titles. Will correctly answer any ap25 challenge eliminating need for dae.bin to create a backup.

– No need to make new backups everytime dae.bin is updated on console

– Extra support for rare firmwares

Topology Data
————-

When ap25 was first introduced I devised a way of calculating any challenge which I called the silver bullet which I made reference to along time ago.
This was withheld until it was absolutely necessary. It was easier to replay the fixed challenges.

With unique per console ap25 challenges it has become necessary to use the silver bullet.

A series of measurements are taken across the disk. This topology data is then used to calculate a response to any ap25 challenge.

It is very important that the drive used to create the topology data is reliable at reading discs as bad topology data equals bad ap25 responses.

Liteon drives using 0800 v3 seem to be more accurate for this purpose. Only ap25 enabled titles require topology data. Activation of ap25 on older non-ap25 games although technically possible is highly unlikely.

Currently topology data for xgd3 titles are similar and topology data from one xgd3 title will pass on another xgd3 title although this is not advisable.

Per title title topology data is best as there are slight differences between titles and newer titles could have different topology than existing ones.

One liteon to go and four Hitachis. Have a great year everyone.

Thanks go to Team Jungle and all testers for their hard work and efforts in the development process.
Thanks also go to Team Xecuter for their support to this project.

**********************************
* The Xbox 360 reset glitch hack *
**********************************Introduction / some important facts
===================================tmbinc said it himself, software based approaches of running unsigned code on the 360 mostly don’t work, it was designed to be secure from a software point of view.The processor starts running code from ROM (1bl) , which then starts loading a RSA signed and RC4 crypted piece of code from NAND (CB).CB then initialises the processor security engine, its task will be to do real time encryption and hash check of physical DRAM memory. From what we found, it’s using AES128 for crypto and strong (Toeplitz ?) hashing. The crypto is different each boot because it is seeded at least from:
– A hash of the entire fuseset.
– The timebase counter value.
– A truly random value that comes from the hardware random number generator the processor embeds. on fats, that RNG could be electronically deactivated, but there’s a check for “apparent randomness” (merely a count of 1 bits) in CB, it just waits for a seemingly proper random number.CB can then run some kind of simple bytecode based software engine whose task will mainly be to initialise DRAM, CB can then load the next bootloader (CD) from NAND into it, and run it.Basically, CD will load a base kernel from NAND, patch it and run it.That kernel contains a small privileged piece of code (hypervisor), when the console runs, this is the only code that would have enough rights to run unsigned code.
In kernel versions 4532/4548, a critical flaw in it appeared, and all known 360 hacks needed to run one of those kernels and exploit that flaw to run unsigned code.
On current 360s, CD contains a hash of those 2 kernels and will stop the boot process if you try to load them.
The hypervisor is a relatively small piece of code to check for flaws and apparently no newer ones has any flaws that could allow running unsigned code.On the other hand, tmbinc said the 360 wasn’t designed to withstand certain hardware attacks such as the timing attack and “glitching”.Glitching here is basically the process of triggering processor bugs by electronical means.This is the way we used to be able to run unsigned code.The reset glitch in a few words
===============================We found that by sending a tiny reset pulse to the processor while it is slowed down does not reset it but instead changes the way the code runs, it seems it’s very efficient at making bootloaders memcmp functions always return “no differences”. memcmp is often used to check the next bootloader SHA hash against a stored one, allowing it to run if they are the same. So we can put a bootloader that would fail hash check in NAND, glitch the previous one and that bootloader will run, allowing almost any code to run.

Details for the fat hack
========================

On fats, the bootloader we glitch is CB, so we can run the CD we want.

cjak found that by asserting the CPU_PLL_BYPASS signal, the CPU clock is slowed down a lot, there’s a test point on the motherboard that’s a fraction of CPU speed, it’s 200Mhz when the dash runs, 66.6Mhz when the console boots, and 520Khz when that signal is asserted.

So it goes like that:
– We assert CPU_PLL_BYPASS around POST code 36 (hex).
– We wait for POST 39 start (POST 39 is the memcmp between stored hash and image hash), and start a counter.
– When that counter has reached a precise value (it’s often around 62% of entire POST 39 length), we send a 100ns pulse on CPU_RESET.
– We wait some time and then we deassert CPU_PLL_BYPASS.
– The cpu speed goes back to normal, and with a bit of luck, instead of getting POST error AD, the boot process continues and CB runs our custom CD.

The NAND contains a zero-paired CB, our payload in a custom CD, and a modified SMC image.
A glitch being unreliable by nature, we use a modified SMC image that reboots infinitely (ie stock images reboot 5 times and then go RROD) until the console has booted properly.
In most cases, the glitch succeeds in less than 30 seconds from power on that way.

Details for the slim hack
=========================

The bootloader we glitch is CB_A, so we can run the CB_B we want.

On slims, we weren’t able to find a motherboard track for CPU_PLL_BYPASS.
Our first idea was to remove the 27Mhz master 360 crystal and generate our own clock instead but it was a difficult modification and it didn’t yield good results.
We then looked for other ways to slow the CPU clock down and found that the HANA chip had configurable PLL registers for the 100Mhz clock that feeds CPU and GPU differential pairs.
Apparently those registers are written by the SMC through an I2C bus.
I2C bus can be freely accessed, it’s even available on a header (J2C3).
So the HANA chip will now become our weapon of choice to slow the CPU down (sorry tmbinc, you can’t always be right, it isn’t boring and it does sit on an interesting bus

So it goes like that:
– We send an i2c command to the HANA to slow down the CPU at POST code D8 .
– We wait for POST DA start (POST DA is the memcmp between stored hash and image hash), and start a counter.
– When that counter has reached a precise value, we send a 20ns pulse on CPU_RESET.
– We wait some time and then we send an i2c command to the HANA to restore regular CPU clock.
– The cpu speed goes back to normal, and with a bit of luck, instead of getting POST error F2, the boot process continues and CB_A runs our custom CB_B.

When CB_B starts, DRAM isn’t initialised so we chose to only apply a few patches to it so that it can run any CD, the patches are:
– Always activate zero-paired mode, so that we can use a modified SMC image.
– Don’t decrypt CD, instead expect a plaintext CD in NAND.
– Don’t stop the boot process if CD hash isn’t good.

CB_B is RC4 crypted, the key comes from the CPU key, so how do we patch CB_B without knowing the CPU key?
RC4 is basically:
crypted = plaintext xor pseudo-random-keystream
So if we know plaintext and crypted, we can get the keystream, and with the keystream, we can encrypt our own code. It goes like that:
guessed-pseudo-random-keystream = crypted xor plaintext
new-crypted = guessed-pseudo-random-keystream xor plaintext-patch
You could think there’s a chicken and egg problem, how did we get plaintext in the first place?
Easy: we had plaintext CBs from fat consoles, and we thought the first few bytes of code would be the same as the new CB_B, so we could encrypt a tiny piece of code to dump the CPU key and decrypt CB_B!

The NAND contains CB_A, a patched CB_B, our payload in a custom plaintext CD, and a modified SMC image.
The SMC image is modified to have infinite reboot, and to prevent it from periodically sending I2C commands while we send ours.

Now, maybe you haven’t realised yet, but CB_A contains no checks on revocation fuses, so it’s an unpatchable hack !

Caveats
=======

Nothing is ever perfect, so there are a few caveats to that hack:
– Even in the glitch we found is pretty reliable (25% success rate per try on average), it can take up to a few minutes to boot to unsigned code.
– That success rate seems to depend on something like the hash of the modified bootloader we want to run (CD for fats and CB_B for slims).
– It requires precise and fast hardware to be able to send the reset pulse.

Our current implementation
==========================

We used a Xilinx CoolRunner II CPLD (xc2c64a) board, because it’s fast, precise, updatable, cheap and can work with 2 different voltage levels at the same time.
We use the 48Mhz standby clock from the 360 for the glitch counter. For the slim hack, the counter even runs at 96Mhz (incremented on rising and falling edges of clock)
The cpld code is written in VHDL.
We need it to be aware of the current POST code, our first implementations used the whole 8 bits POST port for this, but we are now able to detect the changes of only 1 POST bit, making wiring easier.

Conclusion
==========

We tried not to include any MS copyrighted code in the released hack tools.
The purpose of this hack is to run Xell and other free software, I (GliGli) did NOT do it to promote piracy or anything related, I just want to be able to do whatever I want with the hardware I bought, including running my own native code on it.

Now offering a professional Reballing service in the UK

BGA Reballing

We offer a complete in house service with friendly on-line support, quality and a service that will give you total assurance that your repairs, servicing and purchases made through us will be handled in a professional and efficient manner.

We use only genuine components, the highest quality materials and professional equipment to ensure a permanent fix.

Our team of skilled technicians have the technical knowledge and expertise to tackle the most complicated problem.

For the most competitive price, and quickest turnaround time, allow us to provide you with a FREE QUOTATION on any repair requirements that you might have.

Please see the “SERVICES” link at the top of the page for contact details.

Also see HERE for further information regarding the reballing process.

A California man charged with violating the DMCA by installing mod chips in Xbox 360 consoles won’t be allowed to claim “fair use” at his scheduled jury trial next week, a federal judge ruled Tuesday — a decision potentially devastating to the defense, and not particularly favorable to anyone who thinks they have the right to tinker with hardware that they’ve bought and paid for.

Matthew Crippen, 28, faces three years in prison on two allegations of violating the anti-circumvention provisions of the Digital Millennium Copyright Act for financial gain. Crippen, who’s from Anaheim, allegedly had a business modding Xbox 360s for between $60 and $80 a pop, allowing the consoles to run pirated games or unapproved homebrew software. He was indicted after allegedly performing the silicon surgery for an undercover corporate security investigator with the Entertainment Software Association, then again for an undercover federal agent.

His trial is set to begin on November 30 in Los Angeles, and would be the first federal criminal prosecution for console-modding to reach a jury.

JungleFlasher is developed in conjunction with Team Jungle in an effort to bring all 360 DVD‐Drive flashing functions together in one easy to use Win32 Application. JungleFlasher provides several functions that up until now were carried out by several different app’s in both Dos and Win32.

If booting an AP25 title without AP25 SS game will not boot but will still be protected from logging AP25 violation on current dash 2.0.12611.0
If LT+ encounters an unknown AP25 challenge, game will not boot but console will still be protected from logging AP25 violation on current dash 2.0.12611.0

In case yours gets lost or damaged, or you want to sell your copy of Kinect Adventures, but still have a calibration card, I scanned the original and cleaned it up a bit.

Why M$ are charging $0.99 for this rather than giving you an image, or maybe a .pdf/.doc or whatever, is beyond me. I recommend printing this on card, or at least sticking the printed paper to some card for best results.

I decided to release my 3D reconstruction software, even though nobody will be able to compile it yet. The problem is that it’s built on top of the Vrui VR toolkit, version 2.0, which is not released yet. But hopefully in a few days. At that point, it will definitely build on Linux, and probably on Mac OS X if you find a Mac version of the libusb-1.0 library (which I think exists).

Introduction:
=============
Sad to hear the rumor of ikari stepping down, and even sadder to hear
of the profiteers taking advantage of this… we bring you a tribute
to ikari. If you paid for this, get a refund!

fbBuild is a NAND image builder made to suit freeBoot style images,
the included patches and freboot.bin core are based on the original
works done by ikari.

It is suitable to build rebooter images for all current JTAG exploit
compatible xbox 360’s. As with ibuild produced images, this version
only requires a single flash 16MiB in size or larger.

SoulHeaven of Librasoft and the Logic-Sunrise forums, introduces a new AP2.5 bypass for 360’s with dash version 12611

.

This means that consoles updated with 12611 that have Liteon or Benq drives which currently do not read the games like Fable III because of the new AP2.5 checks, are now able to read them.

This hack requires the use of the x360SED v1.0 chip created by SoulHeaven and will be sold within a few days exclusively on Logic-Sunrise and Librasoft Store.

The principle is simple:

– Install the x360SED chip between the 360 mainboard and the DVD drive, solder the one wire from the x360SED to the consoles sync button
– Install Fable III on your console’s hard drive (From an original or a backup)
– Insert the game Fable III until it is recognized by the dashboard (Image of the game while taking the square)
– Press the sync button to eject the game Fable III
– Insert an original game Xbox 360 (Any), press again and the sync button controllers
– Press A to start the game Fable III starts without worries.

Obviously this is not safe for use on Xbox Live

[1:58am] <+c4eva> just a word of warning on the sed “disc swap”, although this passes the timing check, ap25 also returns data from its check which will be wrong with the wrong disk and will get you banned!

You’ll be prompted to accept the update when you sign into Xbox Live sometime in the next few hours.

Regardless of what you have heard, it’s not geographically based. No one area of the world will get it before another.

If you keep signing out and then back in again, this will NOT force the update…it will only anger people on your friends list who will keep getting a notification. every. time. you sign. in.

Be patient, everyone will eventually receive the update

If you want to force the update, go to test connection and it should prompt you to do the update.

REMEMBER, it is advised to return your drives firmware to stock before doing dash updates. And for the time being, this update will not allow you to play new games containing ap2.5 And if you try to play those games, you will be flagged for a ban.

Here are a few of the features that are including in this update: Continue Reading

Spread the love:

Like this:

Please note that I am not a developer/coder of freeBOOT, I don’t have the source, and I don’t have anything to do with releasing it.

I’m making this post because I am still getting hammered with IMs and questions about the future of freeBOOT. I have been close friends with some of the people involved from the beginning, and I contribute when I can (as evidenced by all my freeBOOT videos on YouTube – I posted the first video of it).

The project is dead. This is confirmed by me via talks with the developers. There will not be a new freeBOOT when the new dash is released. This is not speculation, there are no “unreleased versions,” it was never in development, and there is nobody with the source who is going to release a new version. When pushed for details, it was said that the reason for stopping is due to the primary uses of freeBOOT being shameless piracy and illegitimate money from cheating, neither of which the developers support nor wish to enable.

That being said, that doesn’t mean there won’t be another rebooter released in it’s place. I have no knowledge of any such projects, and it doesn’t look too good considering freeBOOT was the only rebooter released for the 9199 dash, but it is not impossible by any means.

aka no Kinect for JTAG’s. Here’s hoping that something along the lines of XBR4 will come about and save the day.

Spread the love:

Like this:

Important Information About Your Xbox LIVE Service
On November 1, 2010, there will be a mandatory service update to Xbox LIVE. ( Full 12615 update? ) This update will both disable the ability to play backups of your latest games, (for now) and ensure your arse gets banned from Xbox LIVE. (Which would probably happen anyway) :)

Spread the love:

Like this:

As we mentioned here, here and here, TeamHades were working on the PS3’s BD Drive, they had managed to connect both fat and slim drives up to a PC and they also managed to find out how to grab the firmware of the drives, now it emerges, that the well known Xbox 360 DVD Drive circumventers TeamJungle, are helping TeamHades with their project, here is a translated quote from TeamHades blog:

As you read in the title of this entry, the TeamJungle is working in collaboration with the TeamHades in the Reader-DB Playstation3 undoubtedly good news for the community of DHorg and his followers.

c4eva is delighted to partner with our team and finally the ps3 reader fall.

For those who do not know the TeamJungle, I can only say that they are responsible for the hacks of the reader of the xbox360, as a result xbox360 users have for years been playing their backups.

Today youtube user xdemovideos, in conjunction with Team Xecuter, Team Jungle and c4eva, posted a video to youtube showing the proof of concept “hack” in action.

Many people have been screaming FAKE, and it’s kind of understandable, what with the amount of shit that gets posted to youtube, but as ever, you really should make some sort of attempt to find out wtf you’re talking about, before you go and make yourself look like a total cunt in public.

From my limited understanding, there will still be a long way to go before any sort of user friendly method is made available, but it’s great to see this milestone happen so soon after the release of a new drive. ( Philips Lite-On DG-16D4S FW ver: 9504 )

Spread the love:

Like this:

Although it’s been in the works for some time, a few days ago LoveMHz announced that he has gotten N64 emulation running on the Xbox 360 :D

.

About Love364, yes I changed the name ;D Currently we have the core, RSP, and audio implemented. Alot of work so far. Now what about video? Well it seems that every video plugin out there either uses OpenGL or DirectX with Fixed Pixel Pipelines which the Xbox360 does not support. Also due to the differences between Fixed Pixel Pipe-lining and HLSL a simple rewrite isn’t possible. So with the advice and over look of Zezu I have decided to write my own up to date graphics and RDP part of the emulation instead of hacking around Rice’s video code. Not much progress so far, expect I have been able to process and sort out the commands coming from the RSP. Still a lot of work todo. And thus the reason there isn’t any screenshots yet.

The general scoop of this is simple massive. Things can easily go wrong with around 20 basic commands and over 1,000 calls a second just for graphics. I easily I have my work cut out, even when I’m spending 10-12 hours a day coding.

Writing my own graphics plugin and RDP code has it’s pros, even though this just seems like a major set back.

So in general Love364 will hopefully redefine how N64 emulation looks and runs.

Current Emulation Status
Currently we are still running on one CPU core with little to no optimization with everything run minus graphics at around %50 of the N64 speed. I’ve yet to look into dynrec or inline function calling, but when the time comes there’s no reason why we shouldn’t be able to easily hit 100% speed on emulation.

Like this:

Oh sweet mercy, what have we here? A sneak peek (on video) of the looming PlayStation Store revamp and a confirmation of DTS-HD Master Audio output in the next PS3 firmware update, that’s what. Over on the PlayStation Blog, we’re casually walked through the impending v2.30 update, and just as we had heard, Blu-ray fans can shout in unison as the inclusion of their favorite audio codec (as well as DTS-HD High Resolution Audio) is just days away. Word on the street has v2.30 headed down the pipes on April 15th.

Sony KONPYUTAENTATEINMENTOJAPAN has announced that the revamped PlayStation Store will open its virtual doors on Tuesday, April 15th.

Update: SCEA has confirmed that loud-mouthed, spendthrift American PS3s will be allowed to roam the aisles on the same day, as will systems from around the globe.

The store revamp will be facilitated by enhanced firmware (version 2.30) and should mark the return of weekly content updates which have been absent since April 3rd. Once the more user-friendly interface is up and running, PS3 owners will be able to download fun things like Warhawk‘s Broken Mirror expansion and the ‘Still Alive’ DLC for Rock Band.

Official 2.0.14699.0 dashboard update (Download)
(scroll down on those pages for the real links)

Prepare your EnvironmentInstall the NAND-X drivers (info)Update your NAND-X to v3 if needed (info)Create a new folder on your C: drive called nandpro3Extract the following files/folder to C:\nandpro3

Nandpro30.rar

DLPortIO.rar

coolrunner_xsvf_jed.rar

360_Multi_Builder_vX.X.rar

360_flash_tool_v0.97.rar

2.0.XXXXX.0_USB.zip

(Just so I don’t have to keep editing this guide so much, rename 360_Multi_Bulider_vX.X to 360_Multi_Builder)

Replace xenon.elf in 360_Multi_Builder\Data with the one from Rawflash v4 or later.

**Note** Only the .xsvf files from coolrunner_xsvf_jed.rar are required for the TX Coolrunner. The .jed files are for other devices.

Dump/Read the NANDBefore dumping your NAND, it’s probably a good idea to update your xbox to the latest dashboard version. You can do this via Xbox Live, USB key or CD. This is not needed, but it’s probably quicker to get it out of the way now, and will save you and extra step at the end of the guide.DO NOTupdate to any higher version than this guide is based on, just in case MS release and update that can disable this hack. Apparently, that isn’t something they can actually do with the Reset Glitch Hack (unlike the JTAG hack) But you never know.So, with that out of the way, on to the good stuff…Take the console apart and remove the motherboard from the metal cage (info)Connect your NAND-X to the 360 motherboard by soldering your QSB’s, Pin Headers, or direct cable connections to the correct points on your motherboard.NAND-X Install Guides

Once you have your NAND-X wires installed, connect it to your PC via the USB cable…

*Note* The pins you see connected to the motherboard in the above picture, are the “legs” cut from resistors, soldered to the cables and covered in heat-shrink tubing. For me personally, I find this the best method for doing multiple installs. Clean, fast, resilient and should last forever.

Make sure that the mains power is connected to the xbox, but do not turn the xbox on.
(while the power is connected, the xbox is in Standby mode, giving power to various components. This is needed in order to be able to communicate with the NAND)

Now, on your computer, open a command prompt and navigate to…

C:\nandpro3

Do that by hitting the start button, typing cmd and hitting Enter. Then type cd \nandpro3 and hit Enter.

Or.., hold the Shift key, and Right Click on a blank space inside the nandpro3 folder, then click “Open Command window here”

Now type (or Copy and Paste) the following commands, into the command window (same command for Phats or Slims, see Note)
This will dump/read your entire 16MB NAND twice, and save the dumps/files in the nandpro3 folder.

Bad Blocks?If bad blockswere found while dumping your NAND…Open one of your NAND dumps in 360 flash dump tool 0.97Don’t worry if it says BADKV all over the place, this is normal because you haven’t entered the CPU Keyyet. (We will get to that later).Check for a bad blocks tab, next to the file system tab.If there is no bad blocks tab, you have no bad blocks.

If there IS a bad blocks tab, click on the tab and verify that it looks like this:

Note: Bad Block ID 0x0349 [Offset: 0x00D8D200]

-> Block ID 0x0349 found @ 0x3FD [Offset: 01073A00]

You should see the above 2 lines of text, for each bad block you have.

The numbers may be different of course, depending on which blocks are bad, but the point is, for each bad block, you should see that the block was found @ another block.

This means that you did have bad blocks, but they have been corrected by the NANDs error correction, so they are legit bad blocks, and not just read errors due to dodgy soldering.

Example of 3 corrected bad blocks…

If the errors are at block 0x050 or above, no further action needs to be taken, because…

“Many user reports indicate that using Xell-Reloaded/Rawflash v3 to flash the Dashboard image, has a much better result over flashing with hardware flashers. This is because it helps to auto-remap the bad blocks in case they exist.”

As we will be booting into Xell-Reloaded, which will use Rawflash v3 to flash the NAND later on, the bad blocks will be auto remapped for us.

But…

If you see:Note: Bad Block ID 0x0349 [Offset: 0x00D8D200]

But NO found @ location for the block, that means this bad block was the result of a read error with the NAND reader. Check your soldering and try again.

If you have Bad Blocks at 0x050 or below, check out Martin C’s guide on how to manually remap them. (Info)

If all checks out, you now have 2 good NAND dumps.

KEEP THEM SAFE. FOREVER.

Create your XeLL/ECC Glitch imageCopy your nanddump.bin file from the nandpro3folder, to …360_Multi_Builder\Data\my360Launch Run.exe from the 360_Multi_BuilderfolderPress the number corresponding to your motherboard revision, and hit EnterYou will get a warning saying The file “cpukey.txt” is missing.

This is normal as we haven’t created it yet. Press any key to continue.

Sit back and watch 360 Multi Bulider do it’s stuff…

Press any key to close 360 Mulit Builder

Your Image_00000000.ecc file has now been created in 360_Multi_Builder\Data

Flash the Reset Glitch Hack v1.1 .ecc file to the NANDMove the image_000000000.ecc file into the nandpro3folderEnter the following command for slim consoles and non BB Phatsnandpro usb: +w16 image_00000000.eccOr for BB Jaspers…nandpro usb: +w64 image_00000000.ecc*Note: it must be +w16 NOT -w16

Programming the TX CoolRunnerDisconnect the cables from the NAND-X (not sure if that’s actually needed, but probably for the best) (the wires can stay soldered for now)Make sure the switch on the CoolRunner is set to PRG(program)Connect the CoolRunner to your NAND-X using the NAND-X to CoolRunner JTAG CableEnter one of the following commands (corresponding to your motherboard revision) (info) into the command prompt window, and hit Enter.

Once the CoolRunner is programmed, it will say “Successfully executed file“, in the command prompt window, and the Green LED will turn off.

Now disconnect the CoolRunner from the NAND-X, and move switch to NOR (Normal)

Also make sure that the other switch is now set to the correct position for your console type (Phat or Slim)

Install the TX CoolRunner
Now that you have good/matching NAND dumps, you have programmed the CoolRunner, and have created the Xell/ECC Glitch image, this is probably the best time to install the chip.Printer friendly, quick install guides (A4 paper, 300dpi) (LINK)Various other install methods and tips (LINK)

Retrieve your CPU KeyNow that your CoolRunner is fully programmed/installed, it’s time to boot the console and retrieve the CPU Key.At this point you only need to connect…

Power

Video

RF board/Power button

Fan and Shroud (recommended for phats)

Network cable (optional, recommended)

Once you have the above items connected, turn on the console.
(you do not need to boot with the eject button, because the console will only boot into XeLL (Xenon Linux Loader) at this time)

You should see a constant Red LED on the CoolRunner as soon as you connect power to the console, joined by a flashing Green LED when you turn it on.

The flashing Green LED indicates that Glitch attempts are taking place.

If you do not see this happening, turn the console off, and refer to the FAQ at the bottom of this guide.

Once the Glitch is successful, you will be greeted on screen with the awesomeness that is XeLL-Reloaded

You may now retrieve your CPU Key, either by copying it from the screen

Or by connecting the Xbox to your LAN via an Ethernet cable, and downloading the info from XeLL-Reloaded via it’s http web interface.

Using your web browser, connect to the IP address shown next to network config: For example: http://192.168.1.47

From XeLL-Reloaded’s web interface…

Download your keyvault

Copy and paste the info from fuses into a .txt file

Copy and Paste your CPU Key and DVD key at the bottom of that .txt file, and save as fuses.txt

Copy ONLY the numbers/letters from your cpu key, and past them into a new .txt file

Save this file as cpukey.txt

As you can see above, your CPU Key is made up of two fuseset lines, i.e 03 + 05, or 03 +06, ect.

Your LDV (Lock Down Value) starts on line 07, the amount of f’s = the value, so in the above image, the LDV value is 2

Create your NAND ImageMove cpukey.txtto…360_Multi_Builder\Data\my360Launch 360 Multi Builder again and press the number corresponding your motherboard revision.You may get a message informing you that “No fcrt.bin found in this nand.“
This is not uncommon, and is nothing to worry about, so just continue.Just for completeness, here is what it looks like if your NAND does contain fcrt.bin
Again, just press Enter to continue.

You are now given the option to create a Glitch image, or a stock NANDimage (Retail MS). For the purpose of this guide, you want to choose 1

Now that Multi Builder has your NANDdump and CPU Key, it will use xeBuild to create your new “hacked” NAND image (nandflash.bin) and save it in 360_Multi_Builder\Data

(image – xeBuild Finished. Have a nice day)

(image – recommended flashing method)

DashLaunch Optinons

*****COMING SOON*****

Flash your NANDCopy nandflash.bin and xenon.elf from 360_Multi_Builder\Datato a USB keyIf the console is still running, with XeLL on screen, insert the USB key now.XeLL-Reloaded will find xenon.elf and use it to flash nandflash.binto your NAND. (if not, turn the console off, and on again)(again, still no need to boot with the eject button at this time)Once you see “Image written, shut down now!” on your screen, turn off the console and remover the power for at least 30 seconds, and remove the USB key.

You can use this time to put the motherboard back in the cage, and reconnect your HDD, and DVD drive.

Replace the power, and boot the console. You are now running a hacked dash

If all is well, fully reassemble the console.

Finishing UpDepending on the dashboard version you were on before you started, you may need to perform an update in order to get Avatars/Kinectworking correctly.If that is the case, put the USB key back in your PC, and delete the files from it.Now place the $systemupdate folder from the official 2.0.14699.0update, on the USB KeyIf you chose to create your NAND image with DashLaunch patches included (as you should have), then rename$systemupdate to $$ystemupdateotherwise the update wont install, because DashLaunch is configured to block updates by default.Make sure your xbox has some storage space for the update files, like a HDD or internal memory

Insert the USB key into the 360, and allow it to perform the update.

You are now ready to start installing all sorts of homebrew win, but before you do that, make backup copies of the following files, and put them somewhere safe.

Thanks to blackwolf over at EMS for a large hunk of this guide, taken from here… http://www.elitemods…al-by-blackwolf and anybody else I may have nicked bits from, here and there And obviously a huge thanks to everybody involved in making all this even possible, not least of course, the legend that is gligli.

This was just compiled and edited to fit my own needs, but I thought If I padded it out a bit, it may be helpful to others who have the same TX based setup.

If there is anything I have left out, or something I have totally butchered (bad blocks section?), pull me on it, so I can fix it. Thanks.